COMMAND
WN Server remote buffer overflows
SYSTEMS AFFECTED
John Franks’ WN Server versions 1.18.2 through 2.0.0
PROBLEM
In David Endler of iDEFENSE [http://www.idefense.com] security advisory
[09.30.2002] :
This issue was exlcusively disclosed to iDEFENSE by badc0ded
http://www.idefense.com/contributor.html
Exploitation is possible by issuing WN Server a long GET request. In
order to successfully exploit this vulnerability, customized shell code
is required to bypass the character filtering that WN Server imposes on
the requested URI.
"WN is a Web server which runs on a wide variety of UNIX platforms and
is freely available at no cost for any use under the terms of the GNU
General Public License." It is included in the latest FreeBSD ports
collection as well.
The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project
has assigned the identification number CAN-2002-1166 to this issue.
ANALYSIS
The following is a snapshot of an exploit at work:
$ (./wn_bof 0 3; cat) | nc target 80
Trying ret=0xbfbeb4ec
$ id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
$ uname
FreeBSD
Exploitation of a buffer overflow usually results in one of two things:
the targeted host process/application/host crashes, or arbitrary code
executes. Both have serious repercussions, but in most cases code
execution is more threatening in that it could allow for the further
usurpation of higher-level privileges on the targeted host.
DETECTION
wn-1.18.2 - wn-2.0.0, which is included in the current version of the
FreeBSD Project’s FreeBSD ports collection, is vulnerable. Take the
following steps to determine whether a specific WN implementation is
susceptible:
1. Ensure that WN is running and open two terminals.
2. In the first terminal execute:
$ (perl -e 'print "GET /" . "a"x1600';cat)|nc localhost 80
3. In the second terminal, determine the process ID of the child that
was spawned to handle the previous command, and attach GDB to it:
# ps ax | grep swn
4223 ?? Ss 0:00.29 ./swn
4711 ?? S 0:00.01 ./swn
# gdb ./swn 4711
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
...
4. In the second terminal, type 'c' telling GDB to continue.
5. In the first terminal, press enter. If at this point the following
output is returned from GDB, then a vulnerable WN implementation is
running:
Program received signal SIGSEGV, Segmentation fault. 0x61616161 in ?? ()
SOLUTION
WN Server 2.4.4 is available at
http://hopf.math.nwu.edu/wn-2.4.4.tar.gz